Myles Hosford, Security Solution Architect, APAC, AWS
James Wilkins, Lead of the Cloud Task Force, Association of Banks Singapore (ABS)
In this session we will explore the current financial regulatory landscape and future compliance trends. We will dive deep on to how to leverage AWS services to implement next generation security and compliance at scale. The session will be delivered by Myles Hosford, APAC Security Solution Architect, and James Wilkins, Lead of the Cloud Task Force for the Association of Banks Singapore (ABS).
2. “CS can potentially offer a number of advantages, which include economies
of scale, cost-savings, access to quality system administration as well as
operations that adhere to uniform security standards and best practices.”
MAS Outsourcing Guidelines 2016
MAS Outsourcing Guidelines
3. ABS Cloud Implementation Guide
“The guiding principle that information security controls in the Cloud must be at least
as strong as what the FIs would have implemented had the operations been
performed in-house should apply”
Due Diligence Data Protection Disaster Recovery
11. Next Generation Security Benefits
Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
12. AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Services
13. Define, enforce, and audit
user permissions across
AWS services, actions
and resources.
Identity & access
management
Identity and access
management
FINE GRAINED ACCESS
CONTROL
MULTI FACTOR
AUTHENTICATION
14. Gain the visibility you need
to spot issues before they
impact the business, improve
your security posture, and
reduce the risk profile of
your environment.
Detective
control
AMAZON GUARD DUTY –
INTELLIGENT THREAT DETECTION
15. Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructure
security
ATTACKERS
AWS CUSTOMERS AWS CUSTOMERS AWS CUSTOMERS
16. In addition to our automatic
data encryption and
management services,
employ more features for
data protection.
(including data management, data
security, and encryption key storage)
Data
protection
Elastic Load
Balancing
Amazon
CloudFront
ACM
Certificate
AWS Certificate
Manager
Developers
17. During an incident, containing the
event and returning to a known
good state are important elements
of a response plan. AWS provides
the following
tools to automate aspects of this
best practice.
Incident
response
Amazon
CloudWatch
CloudWatch
Event
Lambda
Function
AWS Lambda
Automated Response
18. Next Generation Security Postures
Everything as
Code
Ubiquitous
Encryption
Automated
Compliance
No SSH or RDP
for Admin
SSH
20. AWS Systems Manager Components
Run command State manager Inventory Maintenance window
Patch manager Automation Parameter store Documents
21. • Remotely manage thousands of
Windows and Linux instances running
on Amazon EC2 or on-premises
• Control user actions and scope with
secure, granular access control
• Safely execute changes with rate control
to reduce blast radius
• Audit every user action with change
tracking
Operations at scale without SSH/RDP
AWS Cloud
Corporate data
center
IT Admin, DevOps
Engineer
Role-based Access
Control
24. Everything as Code: Your Security Controls
REGULATORY CONTROLS INDUSTRY CONTROLS
25. Everything as Code
security group
S3
bucket (encrypted
AES256)
AWS KMS
Amazon Virtual Private Cloud
security group
EC2 instance
WEB
ü Cyber Security
ü IT Audit
ü Application
ü Operations
APP
Logging &
Monitoring
VPC Security
29. Everything as Code: Audit
Any IP on the
Internet
Telnet, insecure,
clear-text
protocol
Mis-configuration prevented & detected BEFORE the
environment is even built!
34. Controls and Visibility
CloudTrail provides:
• Who decrypted data
• When data was decrypted
• Where data was decrypted from
• Stored for audit and inspection
KMS CloudTrail S3Consumer
requests
38. Automating Compliance: Encryption
User launches a new
server without
encryption
Automated
response to
perform
encryption
Automated
response to
terminate
server
AWS Config reviews change
against controls you define
in near real-time
42. Design Principles
ü Implement a strong identity foundation
ü Enable traceability
ü Apply security at all layers
ü Automate security best practices
ü Protect data in transit and at rest
ü Prepare for security events
?AWS Well Architected: Security
43. “CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead
apply their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly, and reliably leverage the benefits of this
increasingly ubiquitous computing model.”
Source: Clouds Are Secure: Are You Using Them Securely?